Monthly Archives: November 2014

[In the article below, a summary of publicly disclosed cyber espionage campaigns released during 2014. An interesting read for those in the information security field.~Luis]

In January 2014 security software vendor Symantec published a report about a campaign of attacks that targeted the energy sector. The report Targeted Attacks Against the Energy Sector. According to Candid Wueest : The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide. Companies in the sector are facing a growing risk of having their services interrupted or losing data.

In February 2014, Russian security software vendor Kaspersky released a report describing a series of attacks observed against 31 countries. The code named they used to refer to the incidents was Careto. Unveiling “Careto” – The Masked APT. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name “Mask” comes from the Spanish slang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some of the malware modules.

During the same month the security company Trend Micro released its findings about the Russian underground. This report Russian Underground Revisited is the second part of a report that was initially released in 2012 which provided a summary on the underground market. Places in the Internet where cybercriminals converge to sell and buy different products and services exist. Instead of creating their own attack tools from scratch, they can instead purchase what they need from peers who offer competitive prices.

A few months later, Symantec described a series of attacks mainly against energy sector companies. Dragonfly: Cyberespionage Attacks Against Energy SuppliersA cyber espionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to the energy supply in the affected countries.

June was the month when the security company Crowdstrike released its findings about campaign code named Putter Panda. CrowdStrike has been tracking the activity of a cyber espionage group operating out of Shanghai, China, with connections to the People’s Liberation Army Third General Staff Department (GSD) 12th Bureau Military Unit Cover Designator (MUCD) 61486, since 2012.

In July, another report from Kaspersky came forward. This time with the code name Energetic Bear more like a Crouching Yeti . Kasperspky also release an appendix containing IOCs. Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010.

A report issued by CrowdStrike described sophisticated attack against a large Fortune 500 company, Campaign code name Deep Panda. In late December 2011, CrodwStrike received three binary executables files that were suspected of having been involved in a sophisticated attack against a large Fortune 500 company. The files were analyzed to understand first if they were in fact malicious, and the level of sophistication of the samples.

Noteworthy, a report released by the company AIRBUS Defence & Space with the code name Operation Pitty Tiger – “The Eye of the Tiger”. This report contained information on a group of APT attackers known as “Pitty Tiger”. This information comes directly from investigations led by our Threat Intelligence. Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted private companies in several sectors, such as defense and telecommunications, but also at least one government.

Key findings about a campaign code named The Epic Turla Operation was released in August by Kaspersky. This was the result of 10 months of investigation on attacks against more than 45 countries. The company also released an appendix with IOCs. Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call “Epic Turla”. The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies. The attacks are known to have used at least two zero-day exploits.

Operation Arachnophobia was the code name for a campaign released by the company ThreatConnect working in collaboration with Fireeye. We first discovered a suspected Pakistani threat group in 2013, and have since followed their activity and found new observations and insight into the group and its tactics that we call, “Operation Arachnophobia”.Working in collaboration with FireEye Labs, the TCIRT team has discovered evidence pointing to this groups continued exploitation operations using custom malware, dubbed BITTERBUG by FireEye.

In October iSIGHT Partners released the details of a campaign code named Sandworm . A report that disclosed the usage of a 0 day vulnerability used against Western governments, NATO and the Ukrainian government. in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Microsoft is making a patch for this vulnerability available as part of patch updates on the 14th – CVE-2014-4114.Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia.

During the same month the security software company Sophos released a report code named The Rotten Tomato Campaign . Gabor Szappanos, of SophosLabs Hungary, writes an interesting dive into the world of the attackers, examining the malware used by cybercriminals in these attacks, and shows how several different groups used the same zero-day Microsoft Word exploit.

A series of attacks targeting companies in the Defense Industry was code named Operation Death Click and released by Invincea. Most targeted attacks against organizations originate as spear-phish campaigns or watering hole style web driveby attacks. Within the last six months, Invincea has discovered and stopped targeted malvertizing attacks against specific companies — particularly those in the Defense Industrial Base.

A large scale effort that targeted Fortune 500 companies code named Operation SMN : Axiom Threat Actor Group Report was disclosed by the software analytics company Novetta. The company also released extra resources varying from static analysis of the malware to yara signatures. Axiom is responsible for directing highly sophisticated cyber espionage operations against numerous Fortune 500 companies, journalists, environmental groups, pro-democracy groups, software companies, academic institutions, and government agencies worldwide for at least the last six years.

The Italian firm Tiger Security disclosed details about Operation Distributed DragonsAlthough it is no news that the way of performing attacks continuously changes shape and form, since January 2014 there has been evidence of a new “breed” of Chinese DDoS attacks based on the breach of Linux servers, whose objectives are not completely clear but significantly different from the approach so far experienced.

A series of incidents targeting United States and its allies using spear-phishing tactics was released by TrendMicro – Operation Pawn Storm – Using Decoys to Evade Detection. Operation Pawn Storm refers to economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies.

The German security software company G Data Software published the details about OPERATION “TOOHASH – The experts of G DATA’s SecurityLabs discovered a cyber-espionage campaign that perfectly exemplifies the way how targeted attacks work. The purpose of this campaign was to steal valuable documents from the targeted entity. We entitle this operation “TooHash”.

Still in October the security software vendor Fireeye published a report about a campaign of attacks that targeted the energy sector. APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?In this paper we discuss a threat group whose malware is already fairly well-known in the cybersecurity community. This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain. Nor have we observed the group steal and profit from financial account information.

Last week the details about a campaign code named The Dark Hotel APT were released by Kaspersky . Facts about attackers that have been active for at least seven years, conducting targeted strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and other mechanisms. The company also released an appendix with IOCs. The Darkhotel APT is a threat actor possessing a seemingly inconsistent and contradictory set of characteristics, some advanced and some fairly rudimentary.